File distributed by Figma, Inc.
Windows Management Instrumentation T1047 Queries process information (via WMI, Win32_Process) | |
Command and Scripting Interpreter T1059 Sample may offer command line options, please run it with the command line option cookbook (it's possible that the command line switches require additional characters like) Sample might require command line arguments, analyze it with the command line cookbook Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
Windows Service T1543.003 Creates a software uninstall entry | |
DLL Search Order Hijacking T1574.001 DLL hijacking vulnerability found EXE hijacking vulnerability found | |
DLL Side-Loading T1574.002 Tries to load missing DLLs |
Windows Service T1543.003 Creates a software uninstall entry | |
DLL Search Order Hijacking T1574.001 DLL hijacking vulnerability found EXE hijacking vulnerability found | |
DLL Side-Loading T1574.002 Tries to load missing DLLs |
Masquerading T1036 Creates files inside the user directory Drops files with a non matching file extension (content does not match to file extension) | |
Virtualization/Sandbox Evasion T1497 Contains long sleeps (>= 3 min) May sleep (evasive loops) to hinder dynamic analysis | |
Disable or Modify Tools T1562.001 Creates guard pages, often used to prevent reverse engineering and debugging Uses taskkill to terminate processes | |
DLL Search Order Hijacking T1574.001 DLL hijacking vulnerability found EXE hijacking vulnerability found | |
DLL Side-Loading T1574.002 Tries to load missing DLLs |
Application Window Discovery T1010 Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook | |
Query Registry T1012 Monitors certain registry keys / values for changes (often done to protect autostart functionality) | |
Remote System Discovery T1018 Reads the hosts file | |
Process Discovery T1057 Queries a list of all running processes | |
System Information Discovery T1082 Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Reads software policies Queries keyboard layouts Queries process information (via WMI, Win32_Process) Checks the free space of harddrives | |
File and Directory Discovery T1083 Reads ini files Enumerates the file system | |
Virtualization/Sandbox Evasion T1497 Contains long sleeps (>= 3 min) May sleep (evasive loops) to hinder dynamic analysis | |
Security Software Discovery T1518.001 AV process strings found (often used to terminate AV products) |
Application Layer Protocol T1071 Performs DNS lookups | |
Non-Application Layer Protocol T1095 Performs DNS lookups |